Armored Likho spear-phishing and malware-delivery campaign targeting government and power sectors
Campaign
Summary
Hide ▲
Show ▼
The Armored Likho campaign is using spear-phishing and malware-delivery chains to target government agencies and the electric power sector across Russia, Brazil, and Kazakhstan, creating persistent access and credential-theft risk. The operation combines lures tied to official government notices or social programs with RAR archives, EXE droppers, and follow-on payloads. Operators also use Go2Tunnel, BusySnake Stealer, and scheduled tasks to maintain access, exfiltrate data, and support remote tunneling. The activity overlaps with Eagle Werewolf and shows an expanding toolkit aimed at espionage and financial theft.
Timeline
-
03.07.2026 16:36 1 articles · 6d ago
Armored Likho campaign targets government agencies and power-sector organizations across Russia, Brazil, and Kazakhstan
Initial DisclosureKaspersky attributed Armored Likho to cyber attacks against government agencies and the electric power sector across Russia, Brazil, and Kazakhstan, describing spear-phishing emails that use official government notice and social-program lures, RAR archives and EXE droppers, BusySnake Stealer, and Go2Tunnel for persistence, credential theft, data exfiltration, and reverse SSH tunneling. Alternate chains abused CVE-2025-9491 through Windows LNK files to trigger obfuscated PowerShell and loader execution, while the cluster also overlaps with Eagle Werewolf.
Show sources
- Armored Likho Targets Government Agencies, Power Sector with BusySnake Stealer — thehackernews.com — 03.07.2026 16:36